Chris McCormick

A few weeks ago at the BSides Perth conference I announced this piece of hardware I've been tinkering on.

The Bugout Box is a decentralized web appliance. Its a Raspberry Pi that any browser can connect to from anywhere in the world over WebRTC - a censorship-resistant way to serve data, APIs and apps.

Examples of things you can do with the box:

• Seed WebTorrents.
• Run decentralized Bugout server apps.

Head to bugout.network/box if you want to find out more and sign up to the pre-release list.

I've got three conference talks coming up in Perth (Australia), London, and The Gold Coast (Australia). If you're nearby let me know - I would love to buy you a coffee/beer and hear what you're up to.

Security BSides

This Sunday, September 22nd, Perth, Western Australia.

I'm presenting "Bugout: practical decentralization on the modern web." It's a talk about the library I built on top of WebTorrent for building web based decentralized systems.

Clojure eXchange

December 2nd-3rd, London, UK.

I'm giving a keynote: a show and tell of the multitude of strange things I've been building with the Clojure[Script] family of programming languages, and how Clojure enables the bad habit of starting way too many projects. I'll also give an update on Thumbelina, the tiny MIDI controller I've been working on with my friend Dimity.

Linux.conf.au

January 13th-17th, Gold Coast, Australia.

I'm talking about Piku, and how it helps you do git push deployments to your own servers. I've made a bunch of contributions to this open source project in recent months. I've personally found a huge productivity gain from being able to deploy internet services without having to think too much, and I'm excited to show others this too.

In November 2015 Nick Szabo gave a talk on the history of the blockchain which was dense with useful ideas.

Here are some notes I took on his talk:

• Philosophical inspiration to Cypherpunks who invented Cryptocurrency:

  • Ayn Rand: Galt's Gulch - independence from corrupt institutions.
  • Tim May: "protect yourself with cryptography" (cyber Galt's Gulch.)
  • Friederich Hayek: Institutions of property, contracts, money are actually important to human freedom.

• Use computer science to minimize vulnerability to strangers.

• Non-violently enforce the good services of institutions.

• "Try to secure as much as possible" not just communication.

• Cryptography: only secures communications from 3rd parties.

• David Chaum: let's apply this to money too.

• Centralization problem remained in digital cash startups.

• Bad assumptions in computer security: trusted third parties like certificate authorities are secure.

• Trusted third parties are security holes.

• Centralization is insecure.

• E.g. Communists were able to get stranglehold with just control of railroads, newspapers, radio.

• Gold is insecure

  • Spanish looted Aztec gold, pirates looted Spanish gold.
  • Part of end of gold standard was German U-boat threat to British gold transportation.
  • Franklin Roosevelt's government confiscated gold.
  • In modern times xray machines detect gold easily.

• Decentralization per computer science is much more automated & secure than traditional security.

• CS decentralization can only replace small fraction of traditional security but with very high cost savings.

• Traditional security isn't the protocol itself, requires strong external law enforcement.

• Computer security can be secure across national borders instead of siloed inside jurisdictions.

• Cryptocurrency helps solve this through decentralization.

• Separation of duties: several independent people to perform a task to get it done.

• Each node as independent as possible.

• E.g. crude measure of independence: geographic diversity of nodes.

• Number of nodes is only a proxy measure of decentralization.

• Smart contract:

  • Long lived process or "distributed app".
  • Acts like a contract.
  • Performance, verification etc.
  • Generally 2 parties + blockchain (replacing TPP).

• Wet code = traditional law. Dry code = smart contract.

• Law is subjective, enforced with coercion, flexible, highly evolved.

• Smart contracts are mathematically rigorous, cryptographically enforced, rigid, very new.

• Law is jurisdicionally siloed, and expensive to execute.

• Smart contracts are super-national & independent and low cost.

• Seals in clay/wax were important when writing was invented: signature + tamper evident.

• Modern seals at e.g. crime scenes: sealing door, evidence bag with numeric identifier.

• Blockchain can keep secure log with both semantics (serial number) and proof of evidence (photo hash).

• Put proof of evidence on blockchain as well as semantic reference for contract code to interface with.

• Can secure physical spaces with same mechanism.

• Proplets: blockchain can tell them which keys have which capabilities.

  • For almost any valuable property that can be controlled digitally
  • Example: Auto-repo collateral upon contract breach.
  • Example: creditors without access to offshore oil rig used as collateral.

• Recent project:

  • Trust minimized token: secure property titles, colored coins. Securing transfer of ownership.
  • Trust minimized cash flows (dividends, coupons, etc).

• Idea: social networks for blockchains. Execute payment swaps & smart contracts after linking social accounts together.

• Let's try to think about security more broadly instead of only encryption.

• Let's try to protect everything that's important to us, without centralization.

In 2014 Arvid Norberg and Steven Siloti came up with a BitTorrent extension called BEP44. The basic purpose of BEP44 is to allow people to store small pieces of information in a part of the BitTorrent network called the DHT. The DHT ("distributed hash table") is a key/value lookup table that is highly decentralized. Prior to BEP44 it was used to look up the IP addresses of peers from the hashes of the torrent they were sharing.

BEP44 introduces two new ways of storing key-value data in the DHT. The first is the ability to look up small bits of information keyed directly on their hash. The second allows for the storage of cryptographically authenticated data, keyed on the public key. What this means is if you have some public key K then you can look up authenticated blobs of data stored in the DHT by the owner of that key. This opens up a variety of useful abilities to people building decentralized applications.

For instance when you distribute a file on BitTorrent it is immutable - you can't change it - but BEP44 provides a way to tell people "hey, there is a new version of this file that I shared before which you can find over here" in a secure and authenticated way. It turns out that this basic mechanism can be used to build a wide variety of decentralized, authenticated functionality and people have built cool experiements like a decentralized microblog using it.

The purpose of this post is to show you how the datastructure works and how to apply it more widely in your own software.

If you just want a working implementation you can use, check out the decentral-utils JavaScript library which has a single-function implementation of the datastructure and algorithm which you can use in the browser. Web browsers unfortunately do not have direct access to the BitTorrent DHT, but the library is still useful for authenticating up-to-date data blobs that are passed around between browsers, for example over WebRTC.

What's good about BEP44

Most of the advantage of BEP44 comes from the cryptographic signing. What this offers is a way for somebody (let's call her Alice) to verify that a piece of data from somebody else (let's call him Bob) is authentic and that it has not been tampered with. You can do cryptographic signing without BEP44 of course.

However, the BEP44 specification brings some other features for building decentralized systems:

• Namespacing against a public key.
• Replay attack prevention.
• A compare-and-swap primitive.

The namespacing feature means that a single public key can have a bunch of different data blobs that others can authenticate. Because the datastructure is keyed on both the public key and a "salt" field, a single public key can store multiple blobs with different "salt" values as a sub-key.

Replay attack prevention is accomplished with the sequence field, which in BEP44 is a monotonically increasing integer. The way a replay attack works is some adversary keeps an old copy of something you have signed and then when you are offline they send it again and pretend its a new message. Because the message is signed with your key people are fooled by the adversary into thinking the old data is current. In BEP44 the sequence field prevents this because the adversary will have a data blob with a lower sequence number than the last one you shared and they can't generate a new blob with a higher sequence number because they do not have your private key. So the replayed data blob will be rejected.

Finally, the compare-and-swap primitive works by specifying a previous sequence number that the current data blob should replace. Peers will reject data blobs which don't replace the current sequence number they hold. In this way it's possible to acheive basic synchronisation and atomicity of data blobs. Using compare-and-swap guarantees that the new value you want to insert into the DHT can be calculated based on up-to-date information.

Example usage

Imagine you take upon yourself the small task of building a decentralized social network. Users have a timeline of posts which they have written. When they write a new post it should be appended to their timeline and people should see the updated timeline with the new post.

In the centralized social network case this is easy. The social network provider TwitFace has an internal copy of the poster's timeline to which they add the new post. Followers are notified of the update and the updated timeline is sent to them by the provider. The way the authentication works in this case is the original poster has logged in with their password and so the provider knows who they are, but the receivers of the update must trust the provider.

How do readers know that the post is authentic and comes from the original poster? The reader must trust the provider completely. They must trust that the provider is showing them the authentic timeline of messages, that the messages have not been modified, that fake messages have not been injected into the timeline, that new messages have been added to the feed in a timely fashion, and that no message has been censored and removed from the feed by the provider.

The problem with this model is that trusted third parties are security holes. Centralized social networks do modify things people have said. They do inject posts into people's timelines (ads and worse). They do change the order and timing of posts to suit their own goals. Perhaps worst of all, they do censor posts completely.

I won't get into the politics of censorship. Suffice it to say that censorship is fine and good right up until the point where your values differ from the entity doing the censoring. Values change, mysterious outside influences are myriad, and few people have complete alignment of values even with our noble corporate overlords in Silicon Valley.

The basic goal here is that if you've chosen to read somebody's timeline you can trust that the feed of posts you are reading from them is authentic and complete and as they intended.

Happily, we can use the BEP44 technique to route around the trusted-third-party centralized-social-network-provider security hole. BEP44 provides a way to receive an update and verify it cryptographically. It provides a way to know that this is the latest and complete version. It allows the verifier to do this using only the received data structure without requiring any kind of secret server side logic or password based authentiction like you would find in a centralized social network.

How it works

At the heart of the algorithm is a small datastructure which can be shared, updated by the sharer, and then shared again. Receivers can verify the updates are authentic. The idea is that you can share a small piece of authenticated data which points to a larger piece of immutable data. For instance, you can share an authenticated datastructure with the hash of a torrent containing all of your posts (an RSS feed for instance). Receivers then know that torrent is the current representation of your timeline of posts.

The datastructure has the following fields:

• value
• seq
• cas [optiona]
• salt [optional]
• pubkey
• signature

When a verifier receives a copy of this data structure they perform the following checks:

• Is the size of the value field below the maximum size?
• Does the value conform to the expected format / encoding?
• Is the seq number higher than the last seq number I saw (if any)?
• If cas is present does it match the previous seq number I have?
• Is the attached signature made with the private key corresponding to the attached pubkey over the datastructure's value, seq, and salt fields?

In this final point they are checking that the structure has been digitally signed with the author's private key. This is accomplished by concatenating salt + seq + value and then checking that the signature is valid for that data and the given public key.

In this way verifiers can know that an update from a known keypair/identity is authentic and current.

Read more posts on the subject of cryptography & decentralized systems.